Latest version is designed to help users block more Java exploits on websites.

Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers.

The update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users' machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous "zero-day," as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin.

In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that "39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password." The advisory didn't specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of "security issues" in Java, has a running list of them here.

In addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an "OK" button.

"The messages presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority," an article posted to Oracle's Java.com explained. "Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future."

By contrast, higher-risk apps will be accompanied by a message that includes an exclamation point in a yellow warning triangle when the app certificate is untrusted or expired, or a yellow warning shield when the app is unsigned or is signed by a certificate that's not valid.

Oracle introduced a similar dialog message scheme late last year, but as previously reported by Ars, it doesn't check the validity of application certificates. It's a shortcoming that makes it easy for attackers to bypass the protection. That's because it presents certificates as trustworthy even when they've been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.

For almost a year now, Ars has been calling on Oracle developers to rigorously audit the Java software framework to patch the most critical security holes. It's also crucial for Java to be outfitted with protections designed to help end users block drive-by attacks and to lessen the damage that can be done when vulnerabilities are exploited. It will take a few weeks to know if Tuesday's update will finally deliver these long-overdue changes. We're certainly keeping our fingers crossed, but in the meantime, we're repeating our oft-repeated advice: users who have no need for the Java browser plugin should uninstall it, or users could reserve a specific browser for the handful of websites they use that require Java and a separate browser for all other sites.

Aside from when I took online classes, it just seems like having Java installed on my home machine doesn't accomplish much more than willingly add back doors, and have one extra update nag alongside Adobe Flash Player/Reader - which already have plenty of vulnerabilities of their own.

I am having a hard time telling if this is just a byproduct of java being one of the most popular products around or if java really is that poorly made.

Comparing it to the average number of vulnerabilities fixed in other high profile targets/patch would be limited by still useful metric. Flash and IE are the most obvious candidates; with acrobat reader probably third. .Net framework/Silverlight are probably the closest match in terms of functional equivalence to Java; but are less attractive as targets due to lower historical penetration levels. The problem with looking at Windows itself directly is that it's a much larger target than just Java.

I don't think it's an issue of it being poorly made, but more an issue of Oracle purchased Java, and has not put a lot of resources into keeping it up-to-date.

I would really like to get rid of that annoying Java pop-up telling me that there's an update, but I'm not willing ti risk it since there has been such a large surge in found zero-day bugs in java starting last year, that I'm not willing to give it a chance. Unfortunately, I'm not able to get rid of Java due to needing it for work, but I'd certainly like to.

In addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an "OK" button.

Seems like it would be better if it didn't execute the code, regardless of which button was pushed. Maybe that's coming in next week's security patch.

The only reason I have Java installed is due to certain enterprise applications. What I wouldn't give for an easy-to-use white list of sites. Having to manually enable/disable Java is very inconvenient.

Well at least two companies have lost out on my business in the last two months because they rely on java web applets. One was SpiderOak for cloud storage and the other was a tax preparation company that did disability trusts at a reasonable price. I'm usually not that paranoid, but too many problems recently to risk it.

The only reason I have Java installed is due to certain enterprise applications. What I wouldn't give for an easy-to-use white list of sites. Having to manually enable/disable Java is very inconvenient.

I believe you can configure Noscript (or the equivalent on your browser of choice) to operate with a white list rather than a black list.

OK now repeat after me"The Java browser plugin is NOT all of Java. I don't need the Java browser plugin to run Minecraft or any other desktop software written in Java. The Java runtime on the desktop is not a security risk any more than native software, .NET software or any other software running as desktop application. All the news I've read about Java security problems are about the Java browser plugin and do not apply to Java runtime for desktop app. I can disable the Java browser plugin and continue to use Java desktop software just fine."

I am having a hard time telling if this is just a byproduct of java being one of the most popular products around or if java really is that poorly made.

Java is poorly made.

Interenet Explorer and Google Chrome are both significantly more popular than Java, and they both are capable of doing the same job (execution of pretty much arbitrary code downloaded from any website on the internet).

The difference is Java started out from scratch as a powerful suite of software, which was written in a hurry without much concern for security. Internet Explorer, Chrome/Safari, FireFox, Opera, etc all started out with a very simple/limited toolkit that they knew was secure, and over many years they carefully added new features always making sure to find a way to implement them securely.

Every web browser has had a long history of security holes, but they are few and far between and these days usually extremely difficult to exploit. This java patch fixes *39* exploits. Web browsers usually fix a single exploit with their patches, and they do it far less often.

When a new technology is proposed for the web, it is discussed and experimented with for years before going live. WebGL for example has been in development for years, but most browsers either haven't implemented it or have done so but turned it off unless you go into advanced settings. There are zero known exploits in WebGL, but most browser vendors say that's not good enough. Eventually they will be satisfied, and then webpages will start using it (a few websites, such as google maps, can use WebGL if you turn it on).

I will not be happy until Oracle formally shuts down the browser plugin. You shouldn't be allowed to run Java in a browser. The percentage of malware distributed by Java is frankly disgusting and we have perfectly good alternatives.

Aw, hell. I've got a user who needs to run a Java applet through her web browser, and the fucking vendor hasn't fixed the app to work in Java 7 yet. I don't have the option of telling her /not/ to run the applet either.

Great, now when is Oracle going to release something to help enterprise users keep this crap updated?

Why would Oracle need to do that? Enterprise environments will use SCCM or something similar to push out updates.

Which assumes that the Java installer is actually capable of being pushed out by SCCM and similar. Believe me, it isn't. For initial installs it's ok. For upgrades it fails. I've been banging my head against the wall with this one for months.

Flash, for all its faults, is at least available with a standard MSI installer if you ask for it. It has an upgrade mechanism that works. Adobe provide a SCUP catalog to those who want it. They at least have an idea of how enterprises work and deploy software. Oracle don't have a clue. Extracting the MSI from the java installer is unsupported and breaks the Java installation on the pc if you try to update it. It's a nightmare. It's mildly scary to say it but Oracle could learn from Adobe here.

OK now repeat after me"The Java browser plugin is NOT all of Java. I don't need the Java browser plugin to run Minecraft or any other desktop software written in Java. The Java runtime on the desktop is not a security risk any more than native software, .NET software or any other software running as desktop application. All the news I've read about Java security problems are about the Java browser plugin and do not apply to Java runtime for desktop app. I can disable the Java browser plugin and continue to use Java desktop software just fine."

- It gives no indication of the source (Java), possibly looking shady in the process. If your warning looks like malware/sleazeware then it's a lot harder to train people to pay attention to it.- Being platform/OS/Browser agnostic means that your "this is important" visual queues won't match what the user expects (possibly also looking suspect.)- There's nothing that tells a casual user what this MEANS. Not everybody knows why an unsigned app from an unexpected location might be bad.- The "I accept" box should be strongly challenged, like when you accept an unsigned ssl certificate in Mozilla products-- a two click "yeah, sure" should not be acceptable.

It's really not nearly "in your face" enough. Running unsigned apps through a browser (at *least* from any domain other than the local domain) should be off by default, anyway.

I wish they would just drop the browser plugin or rename it. It is obsolete anyway and it is doing enormous damage to the reputation of the core java brand and language. Now everyone thinks java itself is vulnerable, when it is just the plugin.

The Java platform is about the only viable alternative to .net and I'd hate for companies to move away from it because all they hear is that java is vulnerable.

Why the uproar? Operating systems and browsers constantly release updates to fix their own security flaws. The focus on part of Java doesn't seem balanced.

It's not just the frequency of updates (this being the 5th update in 4 months), but also the large number of flaws being patched. A typical monthly update for IE doesn't normally patch enough flaws to even go into double digits, and I can't recall a Patch Tuesday even for Windows and IE combined that fixed anything approaching 42 individual bugs.

Why the uproar? Operating systems and browsers constantly release updates to fix their own security flaws. The focus on part of Java doesn't seem balanced.

It's not just the frequency of updates (this being the 5th update in 4 months), but also the large number of flaws being patched. A typical monthly update for IE doesn't normally patch enough flaws to even go into double digits, and I can't recall a Patch Tuesday even for Windows and IE combined that fixed anything approaching 42 individual bugs.

The only reason I have Java installed is due to certain enterprise applications. What I wouldn't give for an easy-to-use white list of sites. Having to manually enable/disable Java is very inconvenient.

I believe you can configure Noscript (or the equivalent on your browser of choice) to operate with a white list rather than a black list.

Last time I looked into it, that was not possible in any of the browsers I use. Noscript disables all scripting, not just Java.

I have Java installed (I'm a web developer, sometimes I need it) but it is permanently disabled in preferences. When I need it, I go in and turn it on for 5 minutes then immediately turn it off. Apple has done the best job, they will turn it off automatically if you haven't used it for a while.

Why the uproar? Operating systems and browsers constantly release updates to fix their own security flaws. The focus on part of Java doesn't seem balanced.

The uproar is because vulnerabilities in operating systems and browsers do not get exploited continuously in the real world. Their exploits are mostly theoretical, get patched quickly, and are rarely actually used by hackers.

Virtually all users are running a version of Java with known vulnerabilities, and most malware that *actually gets installed* happens via one of those exploits.

Great, now when is Oracle going to release something to help enterprise users keep this crap updated?

Why would Oracle need to do that? Enterprise environments will use SCCM or something similar to push out updates.

Which assumes that the Java installer is actually capable of being pushed out by SCCM and similar. Believe me, it isn't. For initial installs it's ok. For upgrades it fails. I've been banging my head against the wall with this one for months.

Flash, for all its faults, is at least available with a standard MSI installer if you ask for it. It has an upgrade mechanism that works. Adobe provide a SCUP catalog to those who want it. They at least have an idea of how enterprises work and deploy software. Oracle don't have a clue. Extracting the MSI from the java installer is unsupported and breaks the Java installation on the pc if you try to update it. It's a nightmare. It's mildly scary to say it but Oracle could learn from Adobe here.

I push out Java updates successfully through SCCM all the time. I'm not the one that packages them mind you. We have a central ECM group that creates the package. I simply create the advertisement and point it to the right collection. It typically installs correctly on 95% of computers. That's for both JRE6 and JRE7.

Edit: I just looked at the script that installs Java and it does uninstall previous versions first. So perhaps performing a true update via SCCM is difficult. Nevertheless, I don't see any drawbacks to the method of uninstalling and then installing Java. It works for us and it's a very effective way to keep Java updated when dealing with large numbers of computers.

I am having a hard time telling if this is just a byproduct of java being one of the most popular products around or if java really is that poorly made.

Java is poorly made.

Interenet Explorer and Google Chrome are both significantly more popular than Java, and they both are capable of doing the same job (execution of pretty much arbitrary code downloaded from any website on the internet).

The difference is Java started out from scratch as a powerful suite of software, which was written in a hurry without much concern for security. Internet Explorer, Chrome/Safari, FireFox, Opera, etc all started out with a very simple/limited toolkit that they knew was secure, and over many years they carefully added new features always making sure to find a way to implement them securely.

Every web browser has had a long history of security holes, but they are few and far between and these days usually extremely difficult to exploit. This java patch fixes *39* exploits. Web browsers usually fix a single exploit with their patches, and they do it far less often.

When a new technology is proposed for the web, it is discussed and experimented with for years before going live. WebGL for example has been in development for years, but most browsers either haven't implemented it or have done so but turned it off unless you go into advanced settings. There are zero known exploits in WebGL, but most browser vendors say that's not good enough. Eventually they will be satisfied, and then webpages will start using it (a few websites, such as google maps, can use WebGL if you turn it on).

I will not be happy until Oracle formally shuts down the browser plugin. You shouldn't be allowed to run Java in a browser. The percentage of malware distributed by Java is frankly disgusting and we have perfectly good alternatives.

Does the Java web plugin suck? Yes. Is Java poorly made overall? No. You act as if everybody else did everything the right way. I've got one example to prove you wrong: ActiveX. Both allow remote code execution in the browser. Both should be killed. The Java web plugin is easier to get rid of than ActiveX from IE since ActiveX is the binding framework between IE and web plugins like Flash and the Java web plugin.

Now, Java as a framework is hard to beat because of the breadth of available APIs for it and how those APIs are 98% accessible from all platforms. The GUI parts are hard to define percentages for because of needing a display server and not all platforms have a display server. Java's been around for almost 20 years and is now being used as a vector. Pretty damn good track record if you ask me.

Sure, there are flaws with Java that I will groan about (Java generics is the usual one), but overall I still use it because I can write a program in Linux and have it run on Windows (if I take some caution, not a lot though) no questions asked. Can you do that with C/C++? Not unless you use a cross-platform framework and recompile it for the target platform.

I am having a hard time telling if this is just a byproduct of java being one of the most popular products around or if java really is that poorly made.

To the best of my understanding, the JVM itself is reasonably sound and well regarded; but the 'sandbox' designed to make it suitable for running untrusted god-knows-what from the web(rather than the tame server workloads or CPU-architecture abstraction layer for embedded devices use cases that it actually quietly handles in the background without much fanfare or ruin) is a serious mess.

OK now repeat after me"The Java browser plugin is NOT all of Java. I don't need the Java browser plugin to run Minecraft or any other desktop software written in Java. The Java runtime on the desktop is not a security risk any more than native software, .NET software or any other software running as desktop application. All the news I've read about Java security problems are about the Java browser plugin and do not apply to Java runtime for desktop app. I can disable the Java browser plugin and continue to use Java desktop software just fine."

Why the uproar? Operating systems and browsers constantly release updates to fix their own security flaws. The focus on part of Java doesn't seem balanced.

The uproar is because vulnerabilities in operating systems and browsers do not get exploited continuously in the real world. Their exploits are mostly theoretical, get patched quickly, and are rarely actually used by hackers.

Virtually all users are running a version of Java with known vulnerabilities, and most malware that *actually gets installed* happens via one of those exploits.

They also don't usually fix 39 REMOTE CODE EXECUTION bugs in one update. Sure, they'll fix a bunch of bugs, and some of them might be remote code execution or other critical problems. But that's a lot of ways for someone to break out of the sandbox that are out there in the wild at the moment.